fix(serialize-json): prevent json injection via malicious comments

2024-04-20 14:30:39 +02:00 · 2024-04-20 14:30:39 +02:00 · 7bcde68b9f
parent 615ff12c27
commit 7bcde68b9f
1 changed files with 4 additions and 1 deletions
--- a/commons-serialize-json/src/main/java/io/gitlab/jfronny/commons/serialize/json/JsonWriter.java
+++ b/commons-serialize-json/src/main/java/io/gitlab/jfronny/commons/serialize/json/JsonWriter.java
@ -182,7 +182,10 @@ public class JsonWriter extends SerializeWriter<IOException, JsonWriter> impleme
    private void writeDeferredComment() throws IOException {
        if (!deferredComments.isEmpty()) {
            if (newline.isEmpty()) {
-                out.append("/* ").append(String.join(" / ", deferredComments)).append(" */");
+                out.append("/* ")
+                        .append(String.join(" / ", deferredComments)
+                                .replace("*/", "#/"))
+                        .append(" */");
            } else {
                boolean first = true;
                for (String s : deferredComments) {